If you're a student or teacher in a computer science school of a big college, chances are good that you pick stronger passwords than your peers in the arts school. In turn, the arts students usually pick better passwords than those in the business school, according to research presented this week.

The landmark study is among the first to analyze the plaintext passwords that a sizable population of users choose to safeguard high-value accounts. The researchers examined the passwords of 25,000 faculty, staff, and students at Carnegie Mellon University used to access grades, e-mail, financial transcripts, and other sensitive data. The researchers then analyzed how guessable the passwords would be during an offline attack, such as those done after hackers break into a website and steal its database of cryptographically hashed login credentials. By subjecting the CMU passwords to a cracking algorithm with a complex password policy, the researchers found striking differences in the quality of the passwords chosen by various subgroups within the university population.

For instance, people associated with CMU's computer science and technology schools chose passwords that were more than 1.8 times stronger than those used by people in the business school. In between these two groups were people associated with the art school. Statistically speaking, passwords picked by computer science and technology users were only 68 percent as likely to be guessed as arts users and only 55 percent as likely to be cracked as people in the business school. Stated differently, the number of attempts required to successfully guess 100 arts school passwords in the typical offline crack would yield passwords for 124 people in the business school and 68 people in the computer science school.

The research paper, titled Measuring Password Guessability for an Entire University (PDF) is significant because it's among the few that have studied a statistically significant sample of passwords used for high-value accounts. By comparison, the findings of many previous studies have been less reliable because they analyzed smaller numbers of passwords, passwords taken from real-world database breaches, or passwords created for one-off accounts set up for research purposes.

"This kind of experiment can't tell us anything about why this effect is going on, just that it is," Michelle L. Mazurek, one of the researchers who wrote the paper, told Ars. (Disclosure: Mazurek is married to Ars Senior Gaming Editor Kyle Orland.) She continued:

So it could mean that business school users don't know how to make stronger passwords (that is, they are trying but aren't as good at it), or it could mean they are making less effort or care less about protecting their accounts, or something else entirely. I think in practice it means that some extra education may be needed either to help those users learn to make stronger passwords or to give them more motivation to make stronger passwords. In general I think if you are a sysadmin trying to bring up the strength of passwords across the organization, it gives you some sense of where to focus your efforts (at least in populations that somewhat resemble the CMU population).

Perhaps not surprisingly, the researchers also found that length and other password characteristics are strongly correlated to strength. With the addition of each lowercase letter or digit, for instance, a password is 70 percent as likely to be guessed. Adding special symbols or uppercase letters made passwords even stronger, reducing the likelihood of guessing to 56 percent and 46 percent respectively. The researchers go into additional detail:

Placing digits and symbols anywhere but at the end, which is the baseline for the regression, is also correlated with stronger passwords. Multiple characters spread out in more than one location are associated with the strongest passwords—only 20% and 30% as likely to be guessed as passwords with digits and symbols, respectively, at the end. Placing uppercase characters at the beginning instead of at the end of a password is associated with much weaker passwords: 88% more likely to be guessed.

The researchers also found that men in the study used slightly stronger passwords than women. Men's passwords were 92 percent as likely as women's to be guessed, meaning on average the number of attempts required to successfully guess 100 women's passwords would yield 92 passwords belonging to men.

The research also showed that people who pick stronger passwords have higher rates of failed login attempts and that users who report annoyance with CMU's stringent password policy picked weaker passcodes.

Promoted Comments

The landmark study is among the first to analyze the plaintext passwords...

So, how did they get all those plaintext passwords to study? Is CMU really keeping a database of unhashed passwords?

From the linked study:

Quote:

Plaintext passwords were made indirectly available to us through fortunate circumstances, which may not be reproducible in the future. The university was using a legacy credential management system (since abandoned), which, to meet certain functional requirements, reversibly encrypted user passwords, rather than using salted, hashed records. Researchers were never given access to the decryption key.

I'll agree with the premise that CS students know what makes a password strong or weak and business students don't. If they made a study and gave the CS students a dummy Forex account with leverage of 10:1 and ask them if this was a high or low leverage ratio, how do you think they'll fare? This is a matter of education. Of course, I won't ignore the elephant in the room: it's a lot more important that the business guy who might end up being responsible for other people's money understands the security of his passwords than it is for me to understand how Forex leverage works.

Well except the art students are the curve ball in that argument.

I have a theory. In CMU, the arts department has a lot of contact with the science (including CS) department. They even have Intercollege Degree Programs. Note that business isn't anywhere to be seen there. So, arts students might generally be in more contact with CS than business students. If you constantly hang out with people in the CS field, or even possibly taken CS, science, or mathematics courses as part of your degree, there's a good chance you at least pick up concepts like what makes a strong password. Of course the CS students will pick up some pieces of your knowledge too, but those aren't the focus of this particular article. This is just basic human interaction.

This is interesting for so many reasons. Is it suggestive of cognitive differences amongst students who self-select to study things that reinforce their interests or traits? For example, do business students tend to be be very "outcome oriented" and use certain heuristics to allocate where they focus their efforts that are different from those used by engineering and compsci students? I can see that. If students who self-select for business tend to be very "outcome oriented", then picking a password is merely a time-wasting obstacle to achieving an objective (what resides in the system protected by the password). Every cycle burned in coming up with a difficult-to-attack (yet easy to remember) passphrase is a cycle NOT focused on attending to the problem at hand.

To the CompSci student? It is an engineering challenge in itself: "What password creation algorithm can I use that will generate the most difficult-to-guess password, while remaining easy to remember? How about the first three letters of the first names of all of my cousins on my dad's side, in reverse chronological order?"

While an interesting study in and of itself (in terms of IT security and corporate controls design decision), to me the more exciting question is whether the choice of password signifies a deeper difference in cognitive style and heuristic use amongst people who self-select to different careers.